{"id":2220099,"url":"http://patchwork.ozlabs.org/api/patches/2220099/?format=json","web_url":"http://patchwork.ozlabs.org/project/ubuntu-kernel/patch/4bd30a75fc6c59d459d6d955085b065fdac36357.1775469458.git.cengiz.can@canonical.com/","project":{"id":15,"url":"http://patchwork.ozlabs.org/api/projects/15/?format=json","name":"Ubuntu Kernel","link_name":"ubuntu-kernel","list_id":"kernel-team.lists.ubuntu.com","list_email":"kernel-team@lists.ubuntu.com","web_url":null,"scm_url":null,"webscm_url":null,"list_archive_url":"","list_archive_url_format":"","commit_url_format":""},"msgid":"<4bd30a75fc6c59d459d6d955085b065fdac36357.1775469458.git.cengiz.can@canonical.com>","list_archive_url":null,"date":"2026-04-06T10:51:17","name":"[SRU,Q,1/1] nvmet-tcp: add bounds checks in nvmet_tcp_build_pdu_iovec","commit_ref":null,"pull_url":null,"state":"new","archived":false,"hash":"f03735a22378b9cc6d92b86f36a71f5d46d4af68","submitter":{"id":84024,"url":"http://patchwork.ozlabs.org/api/people/84024/?format=json","name":"Cengiz Can","email":"cengiz.can@canonical.com"},"delegate":null,"mbox":"http://patchwork.ozlabs.org/project/ubuntu-kernel/patch/4bd30a75fc6c59d459d6d955085b065fdac36357.1775469458.git.cengiz.can@canonical.com/mbox/","series":[{"id":498839,"url":"http://patchwork.ozlabs.org/api/series/498839/?format=json","web_url":"http://patchwork.ozlabs.org/project/ubuntu-kernel/list/?series=498839","date":"2026-04-06T10:51:17","name":"CVE-2026-23112","version":1,"mbox":"http://patchwork.ozlabs.org/series/498839/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/patches/2220099/comments/","check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/2220099/checks/","tags":{},"related":[],"headers":{"Return-Path":"","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=fail reason=\"signature verification failed\" (4096-bit key;\n unprotected) header.d=canonical.com header.i=@canonical.com\n header.a=rsa-sha256 header.s=20251003 header.b=owmk5bCB;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com\n (client-ip=185.125.189.65; helo=lists.ubuntu.com;\n envelope-from=kernel-team-bounces@lists.ubuntu.com;\n receiver=patchwork.ozlabs.org)"],"Received":["from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65])\n\t(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fq5jn0NPGz1yGn\n\tfor ; Mon, 06 Apr 2026 20:51:40 +1000 (AEST)","from localhost ([127.0.0.1] helo=lists.ubuntu.com)\n\tby lists.ubuntu.com with esmtp (Exim 4.86_2)\n\t(envelope-from )\n\tid 1w9hYI-0005vi-JF; Mon, 06 Apr 2026 10:51:30 +0000","from smtp-relay-internal-1.internal ([10.131.114.114]\n helo=smtp-relay-internal-1.canonical.com)\n by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)\n (Exim 4.86_2) (envelope-from )\n id 1w9hYH-0005vG-4F\n for kernel-team@lists.ubuntu.com; Mon, 06 Apr 2026 10:51:29 +0000","from mail-wm1-f69.google.com (mail-wm1-f69.google.com\n [209.85.128.69])\n (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest\n SHA256)\n (No client certificate requested)\n by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id 1070D3F1CC\n for ; Mon, 6 Apr 2026 10:51:29 +0000 (UTC)","by mail-wm1-f69.google.com with SMTP id\n 5b1f17b1804b1-4889e505136so11639745e9.0\n for ; Mon, 06 Apr 2026 03:51:29 -0700 (PDT)","from localhost ([176.41.26.180]) by smtp.gmail.com with ESMTPSA id\n 5b1f17b1804b1-48895e19c10sm273088155e9.8.2026.04.06.03.51.27\n (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);\n Mon, 06 Apr 2026 03:51:27 -0700 (PDT)"],"DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com;\n s=20251003; t=1775472689;\n bh=z6zT9MRblLSK2L07IrTkPLexZR3U3Ht705ypQssnEYw=;\n h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:\n MIME-Version;\n b=owmk5bCBRNA7a25kCdLpsotRLI0F87wse+78xoOBCC/AqeW6TfkYhv++mZkcgaGNZ\n eO/DET/ejzs3bzt8JicNfrdrbeJzRujq92c3tNqu8SBZHmEj3NQlK+41cLCKgY4R6e\n NEWuVtb/bt/NphKCmtrjx0uUTHuYNhd4afLn91ZFANpVvpAHNkrgMaJ2duFN4au490\n K4qG1pZr0/GxF0lkGsG5hVFUn2Mbaf0UL7ohpYl2+JIf6DV/JgAVj+ibXLK+sQibsp\n 78KrktFSzxOnzc6k9xTHp+YFYVzxkr5KkW/mToNdofywsRka2/cyXlyIYfZGGR7SU/\n 9IEMtHVzJjxwbFwWngvWyjbnRj9qEXI8tW3VaRz8Q0nFUdjuYeUZx3HxeHp4SxKwQx\n Kxuhb5ujrFbMHdx9k2rT+P6Fxmk2S/vCKa84AEJdST9/2vjz3tb7sNoPwymtyjbXBP\n l5wATPU1q97xkYjauGeb59XN4Zlrb+IdO9WyJ8oqXYithRa0ayeK8ntHoPDgy0frLU\n 6Cvs/W3OSVlqg48KTQ+tm51wBstlUB0KU9LHSBJCe/kBzRHxAWNU5H3J3MFk0C08Nd\n lKMYIqWeYhs37+7HySsaAxf1Ct+/LOlJXDvfCKdDCRv/uV/5eXqYyZjf3jTYKUV1bv\n TmdQdG4dqfWYjxlhqmQkar9s=","X-Google-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=1e100.net; s=20251104; t=1775472688; x=1776077488;\n h=content-transfer-encoding:mime-version:references:in-reply-to\n :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from\n :to:cc:subject:date:message-id:reply-to;\n bh=z6zT9MRblLSK2L07IrTkPLexZR3U3Ht705ypQssnEYw=;\n b=U1wNYybUQtW0q9SpiUA5SDMRLtxVgGPF5pKPQetRdAyqn3xSZBithqDJ/UtwsRR7/G\n MCBWmTDdZdIoeNCh5m1AfP4WSPijof/6ocSm9N1wxsufO/g9iGzy/FhFGKIz++e0ZVW9\n ipOfXG10WnZx8/jozUnnfbvPf82mpFUqVzWCtllXQwWkzVJdBP67zB4inRekc1VofpMN\n Fhc5PRrXvhUaqJV6qF18uDGSV/JTMTh0YjqGAz7Ep6RIVUPIBG7bbcKVdN4fUT1fRg+Y\n t2TElZNfhwgvj57e+mSkU8UG/RqRPVwf8kElgeeLum2UsfpZy5KMvHP9zuk9ldhkRuzb\n gfOA==","X-Gm-Message-State":"AOJu0Yy9q9ngtfQV/FEC8X7v25M5zpNHVuP1k1Xi8JGMDVqAd1KaHwpj\n Yoe2kBqPK4mhxYWqlRrDbmt9h6ua4d0WhDEs6Q1ho80faTA5oSrbGZ2puOzvqmNvOj3Mr0MCx3B\n 5ilxp+slPB0kZLgnch+fuZbAbj+wIASN2xvodi52OkOuoj6zuMyrWGwt3GDIQayGLTYxKeRP/XQ\n /i5SGsUrLqZ015wA==","X-Gm-Gg":"AeBDievPEsysVEFRl/7siPGDbh+yclGjJMEOmi1VW0OlKZIverPOXTsopmUV7T19HmQ\n ZX57kn4e/FtafR4C4KaZ3IhavFmUjsE6IkV1ZjlfgbQVWuylJqDm2LGKFkyBi8o73WawIPACNN5\n EAeokrg4fn8W1o/i3YDsAEuxJlLnBF4ooujZzc83fL4dnzRzLF2TgAlLOXKfHrROHTbjB1/E4Mm\n 4MQBTIfGN0eAQlBZ689jz56RK0hhVWLAL6lo2+nOGj/1b8+dZHX2vMDEWXp4iW0zvr4B5WlqeHe\n MCtEuwhn+KhcjHpux4NLr6tUW5mCz1z0VP6zAYHgnBFLcTRwvYVx3c1nADL0SH18H75g/fumLnm\n FZmI1/ggtntYL/OIPcNPByxY=","X-Received":["by 2002:a05:600c:a405:b0:47e:e59c:67c5 with SMTP id\n 5b1f17b1804b1-48899480082mr131329775e9.8.1775472688281;\n Mon, 06 Apr 2026 03:51:28 -0700 (PDT)","by 2002:a05:600c:a405:b0:47e:e59c:67c5 with SMTP id\n 5b1f17b1804b1-48899480082mr131329535e9.8.1775472687781;\n Mon, 06 Apr 2026 03:51:27 -0700 (PDT)"],"From":"Cengiz Can ","To":"kernel-team@lists.ubuntu.com","Subject":"[SRU][Q][PATCH 1/1] nvmet-tcp: add bounds checks in\n nvmet_tcp_build_pdu_iovec","Date":"Mon, 6 Apr 2026 13:51:17 +0300","Message-ID":"\n <4bd30a75fc6c59d459d6d955085b065fdac36357.1775469458.git.cengiz.can@canonical.com>","X-Mailer":"git-send-email 2.43.0","In-Reply-To":"","References":"<177546945105.885203.15305511673780617858@nexus9.public>\n ","MIME-Version":"1.0","X-BeenThere":"kernel-team@lists.ubuntu.com","X-Mailman-Version":"2.1.20","Precedence":"list","List-Id":"Kernel team discussions ","List-Unsubscribe":",\n ","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n ","Content-Type":"text/plain; charset=\"utf-8\"","Content-Transfer-Encoding":"base64","Errors-To":"kernel-team-bounces@lists.ubuntu.com","Sender":"\"kernel-team\" "},"content":"From: YunJe Shin \n\nnvmet_tcp_build_pdu_iovec() could walk past cmd->req.sg when a PDU\nlength or offset exceeds sg_cnt and then use bogus sg->length/offset\nvalues, leading to _copy_to_iter() GPF/KASAN. Guard sg_idx, remaining\nentries, and sg->length/offset before building the bvec.\n\nFixes: 872d26a391da (\"nvmet-tcp: add NVMe over TCP target driver\")\nSigned-off-by: YunJe Shin \nReviewed-by: Sagi Grimberg \nReviewed-by: Joonkyo Jung \nSigned-off-by: Keith Busch \n(cherry picked from commit 52a0a98549344ca20ad81a4176d68d28e3c05a5c)\nCVE-2026-23112\nSigned-off-by: Cengiz Can \n---\n drivers/nvme/target/tcp.c | 17 +++++++++++++++++\n 1 file changed, 17 insertions(+)","diff":"diff --git a/drivers/nvme/target/tcp.c b/drivers/nvme/target/tcp.c\nindex 470bf37e5a63..f7413d4ada92 100644\n--- a/drivers/nvme/target/tcp.c\n+++ b/drivers/nvme/target/tcp.c\n@@ -349,11 +349,14 @@ static void nvmet_tcp_free_cmd_buffers(struct nvmet_tcp_cmd *cmd)\n \tcmd->req.sg = NULL;\n }\n \n+static void nvmet_tcp_fatal_error(struct nvmet_tcp_queue *queue);\n+\n static void nvmet_tcp_build_pdu_iovec(struct nvmet_tcp_cmd *cmd)\n {\n \tstruct bio_vec *iov = cmd->iov;\n \tstruct scatterlist *sg;\n \tu32 length, offset, sg_offset;\n+\tunsigned int sg_remaining;\n \tint nr_pages;\n \n \tlength = cmd->pdu_len;\n@@ -361,9 +364,22 @@ static void nvmet_tcp_build_pdu_iovec(struct nvmet_tcp_cmd *cmd)\n \toffset = cmd->rbytes_done;\n \tcmd->sg_idx = offset / PAGE_SIZE;\n \tsg_offset = offset % PAGE_SIZE;\n+\tif (!cmd->req.sg_cnt || cmd->sg_idx >= cmd->req.sg_cnt) {\n+\t\tnvmet_tcp_fatal_error(cmd->queue);\n+\t\treturn;\n+\t}\n \tsg = &cmd->req.sg[cmd->sg_idx];\n+\tsg_remaining = cmd->req.sg_cnt - cmd->sg_idx;\n \n \twhile (length) {\n+\t\tif (!sg_remaining) {\n+\t\t\tnvmet_tcp_fatal_error(cmd->queue);\n+\t\t\treturn;\n+\t\t}\n+\t\tif (!sg->length || sg->length <= sg_offset) {\n+\t\t\tnvmet_tcp_fatal_error(cmd->queue);\n+\t\t\treturn;\n+\t\t}\n \t\tu32 iov_len = min_t(u32, length, sg->length - sg_offset);\n \n \t\tbvec_set_page(iov, sg_page(sg), iov_len,\n@@ -371,6 +387,7 @@ static void nvmet_tcp_build_pdu_iovec(struct nvmet_tcp_cmd *cmd)\n \n \t\tlength -= iov_len;\n \t\tsg = sg_next(sg);\n+\t\tsg_remaining--;\n \t\tiov++;\n \t\tsg_offset = 0;\n \t}\n","prefixes":["SRU","Q","1/1"]}